undefined | Better HN

0 pointsyourad_io11y ago0 comments

AFAICT, the project zero team is about hunting down bugs and disclosing them responsibly.[1] They occasionally do write-ups on the project zero blog, after the vuln has gone public, but without actually giving out "kiddies-ready expoits", i.e. exploit source.

But even if they did, that still isn't a "questionable practice" - if the full details of the exploit are public, you'd barely need a writeup to connect the dots.

> Even if patches were available, it would be far better to wait for most devices to be patched before releasing a full exploit.

So, for router exploits (say), that would be Infinity? If the manufacturer doesn't care, or the update ecosystem is broken (or nonexistent), nobody is more secure because someone did a writeup about a vuln that everyone (..interested) knows about.

Most exploits, however complex their discovery process may have been, end up as "send these bytes in this order" - they are usually very simple to duplicate once you know where the bodies are buried.

[1] As the GP says, 90 days is responsible disclosure.

0 comments

2 comments · 1 top-level

giovannibajo111y ago· 1 in thread

I disagree that releasing an exploit is, per-se, not interesting. There are many kind of vulnerabilities, and some exploits are very complicated to write.

But really, that is not the point. I'm not debating disclosure vs non-disclosure. I'm debating having a "research team" employed by Google that publishes vulnerabilities and ready-to-use exploits for competing operating systems, irrespective of this probably being illegal because of their non-independent position. If Google wants to confirm that this is not a project to weaken competitions but to do true research for the sake of research itself and protection of end-users no matter what, they should (sooner or later) focus also on the major mobile operating system, Android, and give it equal treatment, including releasing ready-to-use exploits after 90 days. I'm sure Google will try an fix those vulns within 90 days as they are very good at it, but we also now that the great majority of Android devices will be fully vulnerable after 90 days. At that point, having a ready-to-use exploit circulating will be an interesting exercise of the ecosystem.

yourad_ioOP11y ago

> I disagree that releasing an exploit is, per-se, not interesting.

That isn't what I said, I believe my original point stands on its own. Please don't put words in my mouth, you don't know me that well :)

> There are many kind of vulnerabilities, and some exploits are very complicated to write.

The most complicated exploit that I can think of would require you to put the target system in "some state" before sending the triggering payload. In the most-most complicated situations, where you can't "just replay bytes" to get it into the state (dynamic handshake - think heartbleed) you just use a library to do the initialization (or whatever) for you and then use the raw socket from the lib to send the payload.

That isn't very complicated, but perhaps I'm limited by my imagination.

> ready-to-use exploits

I invited you to show a ready to use exploit on the Project Zero blog. Is there one, and I missed it?

> probably being illegal because of their non-independent position

Now you're just being silly. The burden of proof is on you for this.

> If Google wants to confirm that this is not a project to weaken competitions

Is this a popular enough opinion that Google should even know that it needs to confirm or prove anything?

The team does research, and the blog hosts writeups about public vulns. Some are even guest posts for crying out loud. The recent ntpd exploit could be applied to Linux as well. If you search for "Linux", plenty of stuff comes up. There may even be a corporate policy about not doing Android vuln writeups, but that still isn't malicious unless they're actually finding Android bugs and not patching them. If they do patch them, they'll get out. Them not having done a write-up on their blog isn't malicious.

The burden of proof for malice is on you. I'm all for tinfoil hat talk, but there has to be some substance, or it's just talk.

j / k navigate · click thread line to collapse